Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7431
Views
15
Helpful
8
Replies

ISE Smart Licensing problem

Go to solution
knnielsen
Level 1
Level 1

‎02-18-2019 11:05 AM

Hi,

 

We recently converted our ISE 2.4 patch 4 to Smart licensing. We also converted our existing licenses (Base and Plus).

 

It worked for approx. one week and now it has stopped communicating with Ciscos licensing system.

 

When I try to use the Refresh button on the licensing page, I receive the error "Smart Licensing refresh failed".  The last authentication was on 9th of February.

 

There is not much information in the log file - except for an "Send communcation error". But when I try to ping tools.cisco.com from the CLI, it works just fine.

 

I am considering deregistering and then registrer with the token again, but if it fails to re-register, I am in a bit of trouble (this ISE server is in production).

 

Any ideas for troubleshooting?

 

Best regards

Kenneth

4 people had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jdargence
Level 1
Level 1

‎03-04-2021 10:21 AM

Finally figured out my issue. We replaced an outdated ACS with ISE, but weren't able to use the ACS IP in the new server, so we added a NAT to redirect all traffic on our firewall to ISE's new IP. Unfortunately this NAT was also interfering with NATting to the internet. Once this was resolved, ISE was able to contact the Cisco licensing servers. 

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-13-2021 10:30 AM

Suggest calling TAC for further troubleshooting of connectivity to CSSM.

View solution in original post

8 Replies 8

Go to solution
paul
Level 10
Level 10

‎02-18-2019 02:35 PM

I would guess you changed something on your URL filtering/firewall side that is blocking the communication.  Pings won't really test the communication.

0 Helpful

Go to solution
knnielsen
Level 1
Level 1
In response to paul

‎02-19-2019 01:36 AM

Hi,

 

I can see an established connection in our firewall, when I try to test the profiler feed.

 

but when i try to refresh the licensing - nothing goes to the firewall, as if it never leaves the ISE server.

 

There is not much error information in the log, except:

 

2019-02-19 09:34:06,659 ERROR [Thread-88][] cisco.nesla.agent.impl.AsyncRequestProcessor -::::- failed to send request / process response: SmartAgentMessageRenew
2019-02-19 09:34:06,659 ERROR [Thread-88][] cisco.nesla.agent.impl.AsyncRequestProcessor -::::- schedule next reg renew
2019-02-19 09:34:06,659 INFO [Thread-88][] cpm.admin.license.sl.SmartAgentNotificationListener -::::- --> received global notification. NotifyIdCertRenewFail
2019-02-19 09:34:06,659 INFO [Thread-88][] cpm.admin.license.sl.SmartAgentNotificationListener -::::- this inside globalcom.cisco.cpm.admin.license.sl.SmartAgentNotificationListener@xxxxxxxx
2019-02-19 09:34:06,659 INFO [Thread-88][] cpm.admin.license.sl.SmartAgentNotificationListener -::::- notification type: NotifyIdCertRenewFail -- failure: Communication send error.
2019-02-19 09:34:06,659 INFO [Thread-88][] cpm.admin.license.sl.SmartAgentNotificationListener -::::- final formatted: Communication send error.
2019-02-19 09:34:06,659 INFO [Thread-88][] cpm.admin.license.sl.SmartAgentNotificationListener -::::- fail message: Communication send error.
2019-02-19 09:34:06,659 INFO [Thread-88][] cisco.cpm.admin.license.LicenseHelper -::::- inside logging external
2019-02-19 09:34:06,660 INFO [Thread-88][] cpm.admin.license.sl.SmartAgentNotificationListener -::::- ID certificate renewal failed

 

Best regards

Kenneth

0 Helpful

Go to solution
jdargence
Level 1
Level 1

‎03-02-2021 11:52 AM

Did you ever figure this out? I am seeing similar problems with my deployment

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to jdargence

‎03-02-2021 01:15 PM

Hi @jdargence 

 did you try to re-register with a new Token?

 

Hope this helps !!!

0 Helpful

Go to solution
jdargence
Level 1
Level 1

‎03-02-2021 02:55 PM

I did. I generated a new Token and tried to re-register, but the errors don't go away. The last authorization on my licenses is December 03 2020

Go to solution
Marcelo Morais
VIP
VIP
In response to jdargence

‎03-03-2021 04:09 AM

Hi @jdargence 

 the Last Authorization = Dec 3, 2020 is not "a problem".

 Remember that:

"... If there is a change in the compliance status when synchronized with the CSSM server, the Last Authorization column of the Licenses table updates accordingly. In addition, when entitlements are no longer compliant, the number of days for which they are out of compliancy appears in the Days Out of Compliancy column..."

Please take a look at: Cisco ISE Licenses. search for Cisco ISE Smart Licensing.

 

Hope this helps !!!

0 Helpful

Go to solution
jdargence
Level 1
Level 1

‎03-04-2021 10:21 AM

Finally figured out my issue. We replaced an outdated ACS with ISE, but weren't able to use the ACS IP in the new server, so we added a NAT to redirect all traffic on our firewall to ISE's new IP. Unfortunately this NAT was also interfering with NATting to the internet. Once this was resolved, ISE was able to contact the Cisco licensing servers. 

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-13-2021 10:30 AM

Suggest calling TAC for further troubleshooting of connectivity to CSSM.

Customers Also Viewed These Support Documents